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' Abstract 

It is known that crooked functions can be used to construct many in- 
^ ^ teresting combinatorial objects, and a quadratic function is crooked if and 

O ' only if it is almost perfect nonlinear (APN). In this paper, we introduce 

' two infinite classes of quadratic crooked multinomials on fields of order 

2^™. One class of APN functions constructed in [7] is a particular case 
of the one we construct in Theorem 1. Moreover, we prove that the two 
classes of crooked functions constructed in this paper are EA inequivalent 
, to power functions and conjecture that CCZ inequivalence between them 

' also holds. 

' Keywords: Crooked functions, almost perfect nonlinear, Bent functions, 

O . EA equivalence, CCZ inequivalence. 

^ '■ 1 Introduction 

00 : 

^SJ , Let denote a finite field with 2" elements, which is also considered as an 

CO ' n-dimensional vector space over its subfield i<2- The affine hyperplanes in i^2'» 

are the subspaces of dimension n — 1 and their complements. A function / : 
i^2" is called differentially (5-uniform [26] if for every a and every 
b in F2n, the equation f{x) + f{x -\- a) — h has at most 5 solutions. Vectorial 
Boolean functions used as S-boxes in block ciphers should have low differentially 
uniformity to resist differential cryptanalysis [6] . Since for any function, we have 
(5 > 2 (if t is a solution, then i + a is a solution too), differentially 2-uniform 
^> , functions, called almost perfect nonlinear (APN), are optimal. 

■ For odd n, the property of APN is closely related to another extremal kind 

. 5^ , of nonlinearity, called almost Bent (AB), which can be described by the walsh 

transform. Let tr[x) denote the trace function from i^2" to F2 (that is, tr{x) — 
x + x"^ + ... + .T^" ^ ) , then the Walsh transform of a given function / : i^2'» — > -F2 
is the integer- valued function over i^2" which is defined as 

Wf{uj) = J2 (-l)^(^)+*''("'^\ 
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The nonlinearity of / is given by 

nZ(/) = 2"-i-l max \Wf(,o)\. 

The Walsh transform of / : is defined as the collection of all Walsh 

transforms of component functions of /, i.e., 

Wf{uj,a)= ^ (^-iyr(af(x))+tr(u,x)^ 

The set 

Tf = {W/(w,o) : w.a e F2n,a^ 0} 

is called the Walsh spectrum of /. If the Walsh spectrum of / equals {0, ±2^^ }, 
then the function / is called AB [15]. Every AB function is APN, and for n odd, 
any quadratic function is APN if and only if it is AB. There are many papers 
on these two notions (see [2,3,9,11-14,16-19,21,22]). 

The APN function f{x) is called crooked if the set {f{x) + f{x+a) : x £ ^2^} 
is an aflane hyperplane of F2»i for each 7^ a G F2»i. Crooked functions can 
be used to construct many interesting combinatorial objects, such as distance 
regular graphs (see [1,27,28]). 

A function / : F2». F2»> is called quadratic if it is defined by a polynomial 
with exponents of binary weight 2, i.e., 

/(x)= <'^^^^"'- 

0<i,j<n-l 

Clearly, f{x) + f{y) + f{x + y) is bilinear, and therefore a quadratic function is 
crooked if and only if it is APN. It has been proved that the only crooked power 
functions are the quadratic functions a;^'"'"^^ with gcd{n,i — j) = 1 [24,25], and 
a binomial function aa;' -|- bx^ can be crooked only if both exponents i, j have 
binary weight < 2 [5]. 

If / is an APN function, Ai , A2 are affine permutations and A is an affine 
map, then the function = ^1 o / o ^2 + ^ is also APN. The function / and g 
arc then called extended affine (EA) and simply affine equivalent ii A = 0. The 
differentially uniformity of a function is an invariant of EA equivalence. Besides, 
the inverse of any APN permutations is APN as well. However, a permutation 
is not necessarily EA equivalent to its inverse, even though they have the same 
differentially uniformity. 

In [14], Carlet, Charpin and Zinoviev introduced a more general notion of 
equivalence, referred to as Carlet-Charpin-Zinoviev (CCZ) equivalent, which 
preserves APN and AB properties. Two functions / and g are called CCZ 
equivalent if for some affine permutation 9 of F^n , the image of the graph of 
/ is the graph of 9, i.e. Q{Gf) = Gg, where Gf = {{x,f{x)) : x G -^2"} and 
Gg = {{x,g(x)) : x G ^2"}. Differentially uniformity and resistance to linear 
and differential cryptanalyses are invariants of CCZ equivalence. Moreover, EA 
equivalence is a particular case of CCZ equivalence and any permutation is 
always CCZ equivalent to its inverse (see [23]). 

It was believed that any quadratic APN polynomial is affine equivalent to a 
Gold power function (x^ """^ with gcd(n,i) = 1). In [20], A new APN function 
on ^210 if {3:) = x'^ +ux^^ for a suitable u G -F210) which is not affine equivalent 
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to any of previous known APN functions arc constructed. In [8], Budaghyan 
and Carlet construct a new infinite class of quadratic APN trinomials and a new 
potentially infinite class of quadratic APN hexanomials which they conjecture 
to be CCZ incquivalcnt to power functions for n > 6 and they confirm this 
conjecture for n = 6. Then two new classes of quadratic APN binomials CCZ 
inequivalent to power functions are constructed in [10], those are the first found 
infinite classes of APN polynomials which are proved not to be CCZ equivalent 
to power function. Bierbrauer gives a brief construction in [3] for all known 
examples of crooked binomials, which consist of an infinite family and one spo- 
radic example. In [7], the authors introduce two new infinite classes of APN 
functions, one on fields of order 2^*^ for k not divisible by 2, and the other on 
fields of order 2^*^ for k not divisible by 3. The polynomials in the first class 
have between three and k + 2 terms, and the second class's polynomials have 
three terms. 

In this paper, we introduce two infinite classes of quadratic crooked multi- 
nomials on fields of order 2^™. The first class of APN functions constructed 
in [7] is a particular case of the one we construct in Theorem 1. Moreover, in 
Section 3, we prove that the two classes of crooked multinomials constructed in 
this paper arc not EA equivalent to all power functions and we conjecture that 
CCZ inequivalence between them also holds. 



2 Two classes of crooked multinomials 

To establish the crooked property of a function / on , we must show that / 
is APN, that is, the equation f{x) + f{x + a) = b has at most two solutions in 
-Pj" 7 for every a ^ and every b in _F2" • Moreover, wc should show that the set 
{f{x) + f{x + a) : X £ F2r> } is an afHne hyperplane of for each a € ^2" • 
If / is quadratic, then / is crooked if and only if / is APN, and the equation 
has at most two solutions if and only if f{x) + f{x + a) + f{a) = has two solu- 
tions. In Theorem 1 and Theorem 2, we will prove that the two infinite classes 
of quadratic multinomials constructed by us are APN, and therefore are crooked. 

Theorem 1. Let m,i,j be any positive integers such that i > j, and let 
n = 2m, q = 2™, gcd(i — j, n) = 1, ri G i^2"' for each i, and c,d G be such 
that c(^F2^,d(f: e F2->}. Let {0. l}^ K <Z {0,1, ...,n- 1} be such 

that YlikeK^"^ ~^ irreducible over i^2"- Then the multinomial 

m— 1 

is crooked on ^2" • 
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Proof. For any a e -F2" , 

F{x) = f{x) + f{x + a) + f{a) 

= c(x«a + xa«) + ^ n (x^' a«^' + x'^" a^' ) 

i=l 

+ ^ a (x a +x a ) 

keK 



Since 



= + = (c + c«)x9+\ 

i^2 = /(x + a)+/(x + a)« = (c + c«)(x + a)«+\ 
f3 = /(a) + /(a)3 = (c + c«)a«+\ 



we have 



F{x) + F{xy = F1+F2+F3 

= (c + c'')(x«a + xa«). 

If F{x) = 0, then F{x) + F(x)i = 0. Since c ^ F2-, we have x«a + xa^ = 0. 
Let X = at. Then f = t. The equation F(./;) = becomes 

keK 

Since X^^g^ a;^*""^ is irreducible over F2n and it is not equal to x + 1, we get 
d ^ {u^'+^^u e ^2"} implies 

and therefore t^' + = 0, that is t^' (t'^' ' + 1) = 0. Since gcd(i —j,n) = 1, we 

get i = or 1. Therefore, /(x) is APN, and the result follows. 

Remarks: 

1. The class of APN function constructed in Theorem 1 of [7] is a particular 
case of the one we construct above for j = 0, K = {0} and m and i both odd. 

2. Let m = 6, i = 8, j = 1, K = {0}, c,d be primitive elements of F212 and 
Ti € F26 for each i. Then the function 

m — 1 



fix) = CX' +' + dx^ +^ + ^2^2^+4 + ^ nx 



2'+2' 

=1 



is a crooked function of F212 , which is an example not belong to the class con- 
structed in [7]. 
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Theorem 2. Let m,i,j be any positive integers such that i > j, and let 
n = 2m, q = 2™, gcd(z — j,n) = 1, and c,d,ri £ -F2" be such that = 1, 
c + dc« 7^ 0, d ^ {m2'+2%u g and d = r\~'^ for each i. Let {0,1} 7^ 

K C {0, 1, n — 1} be such that X^^gx a;^ ~^ is irreducible over . Then the 
multinomial 

m—1 

i + fci nj + fc 



is crooked on . 

Proof. For any 7^ a G i^2" , 



= /(x) + /(x + a) + /(a) 

m—1 

= c(a;«a + a;a«) + ^ ri(x2'a«2' + x'^'a^') 
+ > (a; a + x a ) 



keK 

^i+k ^n3 + k 



we have 



keK 

F{x) + d ■ Fix)" = {c + dc'i){x'ia + a;a«). 



If ^'(a;) = 0, then F{x) + d-F{xY = 0. Since c+dc« 7^ 0, we have x'o + xa' = 0. 
Let x = at. Then = t. The equation F{x) = becomes 

^((a2*+2^' +da«(2'+2^))(f2' =0. 

Since X^fegK a;^*""^ is irreducible over ^2" and it is not equal to a; + 1, we get 

(a2'+2^+da«(2'+2^))(t2'+^2^)=0. 
d ^ {u^'+^^u G i^2"} implies 

and therefore i^' + = Q, that is t^' {t^' ^ + 1) = 0. Since gcd(i -j,n) = 1, we 
get t = or 1. Therefore, f{x) is APN, and the result follows. 



3 Their inequivalence with power crooked func- 
tions 

It is known that the only crooked power functions on F2" sue the quadratic 
functions x"^'^"^^ with gcd(n, i — j) = 1, which are equivalent to ^2°+^ with 
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gcd(n, s) — 1. Proving CCZ inequivalence of functions is very difficult. In 
what follows, we prove that the crooked functions introduced by us are not EA 
equivalent to all power functions. 
By Theorem 1, we have 

is crooked on F^w , where c, € F^-^'i arc primitive. 



Theorem 3. Let c, d G F^ii are primitive. Then the function 

is EA inequivalent to power functions on F-^^i . 

Proof. Suppose / is EA equivalent to a power function. Then / is EA 
equivalent to +^ for some nonzero s € ZjVlZ. Hence there exist affine 
permutations A\{x) ^ A^ix) and an afBne map A(x) such that 



Let 



A\{x) = aid? 
jez/i2z 



Then we have 



ieZ/l2Z 

= Y: hbtx^'^-'^'+A 
i,fcez/i2Z 

Compare the coefficients of the terms with the same degree, we get 

for t € Z/12Z and t^5,6, 7, and 

aiC^' = bi+6bf_^ + 6i6-+6-s (2) 
ai(f' = 6i+86f+i_« + 6i+i6-+8_« (3) 
aid^^^' = b^+^b1l^_^ + bi+2bf+^_, (4) 
Suppose o, ^ for some i. If h+j-s 7^ 0, for some j, then by (1) we have 

h+jb~^j_s = bi+j+tb~^j^i_^, 

for t € Z/UZ and t ^ 5,6,7. 

If j = 0, we take t=l—j and 8 — j, then 

bi+jb~^j_^ = bi+ib~^-^^_^ = bi+8b~^^_^, 



6 



which is contradictory to the equation (3). Therefore, we get 

k-s = 



(5) 



If j — 6, we take t — 2 — j and 7 — j, then 

which is contradictory to the equation (4). Therefore, we get 

- (6) 

By (2), (5) and (6), we deduce that ai = 0. Then by the randomness of i, we 
have A\{x) = 0, which is a contradiction, and the resuh follows. 
By the same method, we can deduce the following Theorem: 

Theorem 4. The crooked functions constructed in Theorem 1 and Theorem 
2 are EA inequivalent to power functions on i^2"- 

We conjecture that the functions constructed in Theorem 1 and Theorem 
2 are CCZ inequivalent to power functions, which we leave it as an open problem. 

Conjecture 1. The crooked functions constructed in Theorem 1 and Theorem 
2 are CCZ inequivalent to power functions on i^2"- 

4 Conclusion 

In this paper, we introduced two infinite classes of quadratic crooked multino- 
mials on fields of order 2^™. One class of APN functions constructed in [7] is a 
particular case of the one we constructed in Theorem 1. Moreover, we proved 
that the two classes of crooked functions constructed in this paper are EA in- 
equivalent to power functions and conjectured that CCZ inequivalence between 
them also holds. 
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